It strikes me that the best approach is to just dynamically generate the
memberOf values instead of storing them statically. But that also depends on
your usage patterns.

Well, searches on member and memberOf are common, so it seems we would
quickly find ourselves downloading the whole backend DB and filtering
locally...

Searching on memberOf doesn't make a lot of sense to me, when you could simply
read the group object directly. When is this actually a useful thing to do? An
alternative would be to make the memberOf overlay intercept these filters and
rewrite them in terms of member.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/